Someone actually knowing or stumbling across the private key. Advances in computing managing to break the ECDLP and hash functions we use in order to reverse engineer the private key. Both of these things are incredibly unlikely to happen, but the chance is not zero.

There are ways to provably burn coins, by sending them to outputs which have invalid scripts and so can never be unlocked. We can say with 100% certainty that such coins will never be spent, because there is no way to unlock them. Coins sent to burn addresses are different - there is a way to unlock them, it's just that we assume nobody knows what it is.